Are you GDPR Ready?
We’ve known about GDPR for a while now but like most people we thought we would leave it for a rainy day. We felt a bit overwhelmed as we hold a lot of business critical data and there was a lot of noise out there.
We decided this was to big an issue to tackle on our own so following our GDPR audit by Just Add Tech we have embarked on a belt and braces approach to implementing solutions, processes and procedures to ensure we are looking after our clients data and protecting their business. Smart Team have gone above and beyond our requirements but it feels good to know we are doing what we can. It has also been a great way to review and analyse what we have been doing to this point. If our data is being as well protected as we are doing then I can rest easy at night.
You might have been sucked into thinking that GDPR does not relate to you but we would highly recommend you give it more consideration. Take five minutes to find out more about GDPR and what it could mean to you.
If that doesn’t float your boat no bother. Instead have a look below at the things we have been working on to ensure our compliance with GDPR and the security of your data:
Restricted User Access
We know it might be easier to give access of systems to everyone as it stops people from being unproductive, you might even dabble in sharing single user logins to make life easier. Whilst this is the quick option have you ever stopped to consider exactly who has access to what? Preventing data breaches, data corruption or data losses could be as simple as not allowing access to systems that people do not need. Stop the problem at source. We have reviewed all systems we are using, which users have access and what their access rights are. Only people who need access have it. Yes this causes a bit of pain when someone needs a one off piece of information but this is much less painful than the clean up operation.
Encrypted Password Manager
If you are consistently using the same password, leaving login details on post it notes or worse creating a spreadsheet of logins please stop it now. Use an encrypted password manager such as LastPass. If you have multiple staff then using the Enterprise level will allow you to disable access centrally should someone leave. You can run security challenges to test how secure their passwords are and whether they are using the same password multiple times. We know it is impossible to generate and remember tens if not hundreds of logins but with LastPass you don’t need to. It will do the hard work for you.
Email Transmission Encryption
Unsecure email is a common area that the bad guys tend to attack. Our email system is configured to encrypt the transmission of data between our email clients (Microsoft Outlook 2016) and our email server (Microsoft Exchange). This means that if anyone or system was trying to snoop on our emails they would just see scrambled text that would mean nothing.
How many times have you sent an email and instantly know that you sent it to the wrong person? This is a really simple fix. Using Outlook we have put a 2 minute time delay on our emails. Quite simply this means that once an email is sent it will sit in your sent items for the time specified before sending. This allows you ample time to feel the horror but then take corrective action before that email goes. Phew!
Remote working now plays a huge part of the work that we do and probably yours as well. That being said we want to remain safe whilst out and about and lets face you don’t know who is sat with you in the local coffee shop intercepting and using your data. As such we have implemented a VPN (Virtual Private Network) which extends our private network across a public network
Secure Client Portal
This has been work in progress for coming up to four months now. Back in January we started looking for new practice management software and after testing six solutions we are very pleased to be working with Senta. It has many great features but one in particular that will help us with our GDPR compliance the secure client portal with esigning. We can now allow clients to access a secure portal to submit data and esign documents without that data ever being sent electronically via email or sent in the post. There is also only one single source of the document so no need to worry about version control. We will be sending information out shortly to clients to explain how this works.
Two-Step Authentication in Xero
Every member of staff that accesses Xero has Two-Step Authentication turned on. When you have Two-Step Authentication enabled you need to use a second method to login to Xero. In addition to your standard Xero username and password, you also have to enter a six-digit code provided by a separate app on your smartphone, Google Authenticator.
Each of our laptops has up to date anti-virus software. Password resets are forced every 42 days. It is company policy to not have any documents stored on your desktop. As all records are accessed via shared cloud solutions there is also no reason for any member of staff to use an external hard drive or USB device to transport or work on client records.
In the rare instance that we get post (you know who you are HMRC) it is scanned and stored in Microsoft Sharepoint. The original document is then bagged ready for secure shredding. This is collected and disposed off. The full sacks are securely sealed, taken in tracked vans to a depot with CCTV and the whole bag is shredded so no one accesses that data. Once the process has been completed we are provided with a certificate of destruction.